Anonymous Plays Games With U.S. Sites

Protesting over death of Internet activist Aaron Swartz, Anonymous defaces U.S. government websites to hide a free game of Asteroids.

Anonymous has gone old-school with its latest attack, altering a number of U.S. government websites to hide a free game of Asteroids.

The hacktivist collective's initial target was the website of the U.S. Sentencing Commission, which establishes sentencing policies and practices for the federal courts. After the site was reportedly altered Friday, the site's administrators expunged the Asteroids game over the weekend. As of Monday morning, the site's administrators had apparently taken the site -- which Anonymous claimed to still control -- offline.

A statement posted by Anonymous to Reddit said the website defacement was meant as retaliation for the manner in which prosecutors handled the case of Aaron Swartz, who co-created the RSS 1.0 specification and helped establish Reddit. Facing a 35-year jail sentence for downloading millions of documents from the academic journal archive JSTOR, Swartz -- who had long battled depression -- earlier this month committed suicide.

Anonymous said it selected the Sentencing Commission's website for its obvious relevance to Swartz's case. "Two weeks ago today, a line was crossed. Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice," read the Anonymous statement. "Killed because he was forced into playing a game he could not win -- a twisted and distorted perversion of justice -- a game where the only winning move was not to play."

The FBI said it's investigating the website defacements. "We were aware as soon as it happened and are handling it as a criminal investigation," read a statement released by Richard McFeely, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI, reported Bloomberg. "We are always concerned when someone illegally accesses another person's or government agency's network."

If the Sentencing Commission's website was offline, Monday morning the Asteroids game could still be played on the U.S. Probation Office for the Eastern District of Michigan website, after entering a so-called Konami code (a series of arrows and letters). After that, a dialog box pops up, reading, "PEW PEW PEW PEW PEW! End Prosecutorial Overreach!" From there, site visitors are given a spaceship and allowed to shoot lasers -- and later, a smart bomb -- which obliterates the Web page. Anonymous promised prizes for "a small fraction of winners."

The Anonymous website defacement -- for lack of a better word -- was made as part of the group's broader Operation Last Resort, which seeks to reform the Computer Fraud and Abuse Act (CFAA) under which Swartz was charged. "There must be reform of mandatory minimum sentencing ... a return to proportionality of punishment with respect to actual harm caused, and consideration of motive and mens rea." (Mens rea refers to acting with a "guilty mind.")

To add impetus to its request, Anonymous on Saturday promised that the Asteroids game defacements aren't the only card up its sleeve. The group tweeted on Monday, "How about a nice game of chess Mr Government?" According to a statement released by the group, it's infiltrated a number of government websites and databases -- it refused to disclose which ones -- and stolen sensitive information, which it's been distributing in an encrypted file that has been mirrored to numerous websites.

"The contents are various and we won't ruin the speculation by revealing them," said Anonymous. "Suffice it to say, everyone has secrets, and some things are not meant to be public. At a regular interval commencing today, we will choose one media outlet and supply them with heavily redacted partial contents of the file."

Threats aside, Anonymous is far from the only group calling for the CFAA to be revised. Notably, George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, has proposed specific changes to CFAA, including making it harder for minor crimes to be classified as felonies.

Kerr's proposals have been picked up and refined by the Electronic Frontier Foundation (EFF), in what calls "Aaron's Law." The group's suggestions have also been endorsed by Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, who described Kerr's initial efforts as "necessary but not sufficient."

Both the EFF and Granick are pushing for a better definition of "without authorization" in the CFAA, which governs when accessing a network resource or system is, or isn't, illegal. "There should be an exception to CFAA liability when a service is offered for free to the public but implements technological controls on either automation, download rate or access time," said Granick in a blog post. "Certainly evading these limits could be a civil violation, or the service may find a way to ban the offender completely, but it should not be a federal crime."

But will Congress pick up on the proposals and reform CFAA?

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats.
In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.